[
https://jira.jboss.org/jira/browse/JBPORTAL-2462?page=com.atlassian.jira....
]
Andy Pemberton updated JBPORTAL-2462:
-------------------------------------
Description:
I believe there is an issue in the PortalNode API when building the map of children for a
given node. The issue lies in the strategy for checking the permissions on a Page
(PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission -
configured in portlet-instances.xml).
The current implementation: PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl
objectNode) checks permissions for each child node as follows:
...
if (!visible)
{
visible = portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
...
The problem here is that when building the child map for a page, the children may be
either other Pages or portlet Windows; the current code only correctly checks permissions
for child Pages.
I think the above code should check the permissions as follows:
...
if (!visible)
{
if (childObject.getType() == PortalObject.TYPE_WINDOW)
{
visible = objectNode.portalAuthorizationManager.checkPermission(new
InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION));
} else {
visible = objectNode.portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
}
...
This issue may be less apparent because the implementation first checks the
'viewrecursive' permission on pages and if it exists, doesn't check the window
permissions at all. One way to reproduce the issue is to ensure a given page is secured
with 'view' permission only and then use the PortalNode API to create a link from
one portlet to another on the same page (as suggested in section 13.9.3 of the reference
guide: 'Link to other pages'
http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).
I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch that
I've tested against 2.6.5.
was:
I believe there is an issue in the PortalNode API when building the map of children for a
given node. The issue lies in the strategy for checking the permissions on a Page
(PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission -
configured in portlet-instances.xml).
The current implementation: PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl
objectNode) checks permissions for each child node as follows:
...
if (!visible)
{
visible = portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
...
The problem here is that when building the child map for a page, the children may be
either other Pages or portlet Windows; the current code only correctly checks permissions
for child Pages.
I think the above code should check the permissions as follows:
...
if (!visible)
{
if (childObject.getType() == PortalObject.TYPE_WINDOW)
{
visible = objectNode.portalAuthorizationManager.checkPermission(new
InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION));
} else {
visible = objectNode.portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
}
...
This issue may be less apparent because the implementation first checks the
'viewrecursive' permission on pages and if it exists, doesn't check the window
permissions at all. One way to reproduce the issue is to ensure a given page is secured
with 'view' permission only and then use the PortalNode API to create a link from
one portlet to another on the same page (as suggested in section 13.9.3 of the reference
guide: 'Link to other pages'
http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).
I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch that
I've tested against 2.6.5.
PortalNode permissions check problem for child Windows
------------------------------------------------------
Key: JBPORTAL-2462
URL:
https://jira.jboss.org/jira/browse/JBPORTAL-2462
Project: JBoss Portal
Issue Type: Bug
Security Level: Public(Everyone can see)
Components: Portal Core
Affects Versions: 2.6.8 Final, 2.7.2 Final
Reporter: Andy Pemberton
Attachments: portalnode-permissions.patch
I believe there is an issue in the PortalNode API when building the map of children for a
given node. The issue lies in the strategy for checking the permissions on a Page
(PortalObjectPermission - configured in *-object.xml) vs. Window (InstancePermission -
configured in portlet-instances.xml).
The current implementation: PortalNodeImpl.NodeList.buildChildMap(PortalNodeImpl
objectNode) checks permissions for each child node as follows:
...
if (!visible)
{
visible = portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
...
The problem here is that when building the child map for a page, the children may be
either other Pages or portlet Windows; the current code only correctly checks permissions
for child Pages.
I think the above code should check the permissions as follows:
...
if (!visible)
{
if (childObject.getType() == PortalObject.TYPE_WINDOW)
{
visible = objectNode.portalAuthorizationManager.checkPermission(new
InstancePermission(((WindowImpl) childObject).getURI(), InstancePermission.VIEW_ACTION));
} else {
visible = objectNode.portalAuthorizationManager.checkPermission(new
PortalObjectPermission(childObject.getId(), PortalObjectPermission.VIEW_MASK));
}
}
...
This issue may be less apparent because the implementation first checks the
'viewrecursive' permission on pages and if it exists, doesn't check the window
permissions at all. One way to reproduce the issue is to ensure a given page is secured
with 'view' permission only and then use the PortalNode API to create a link from
one portlet to another on the same page (as suggested in section 13.9.3 of the reference
guide: 'Link to other pages'
http://docs.jboss.com/jbportal/v2.7.1/referenceGuide/html_single/#d0e7436).
I've checked that this issue exists in JBP 2.6 and 2.7; I've attached a patch
that I've tested against 2.6.5.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see:
http://www.atlassian.com/software/jira